EUIST

Remember the UK privacy disasters:

- CyTRAP Labs checklist – 7 lessons learned from the disastrous UK data loss – electronic patient records

- CyTRAP Labs disaster monitor – 25m child benefit records are lost – a case against large scale ID card systems

The latest Norwegian privacy blooper has again illustrated that building large systems entails risks including employees not following procedures. However, the larger the system the bigger the repercussions if something goes wrong.

2002 marked the first time when details of all Norwegian taxpayers returns were published on the internet. Of course, the head of the Norwegian data protection authority immediately asked for the practice to be stopped.

It took just about a year before the government, led by then-prime minister Kjell Magne Bondevik, passed a law restricting online access to a maximum of three weeks from the day of publication.

What happened now?

Norwegian tax authorities informed the public that they had sent CD-ROMs filled with the 2006 tax returns of people living in Norway to the editorial staff of nine news organizations (e.g., national newspapers, radios and television stations). These CDs, once accessed also contained the person identification code, something that should have been deleted before these data were sent out.

What does the personal identification number reveal about a person?

The person identification code works as outlined below.

Each person has an identification number that is an eleven digit birth number. It is assigned either at birth or when the foreigner registers with the National Population Register.The number is composed of the date of birth (DDMMYY), a three digit individual number, as well as two check digits.Women are assigned even individual numbers, men are assigned odd individual numbers. In turn, the system allows Norway to uniquely identify people born between 1854 and 2039. Thereafter, a new system will have to be used.

Interesting is also that people without permanent residence in Norway will be assigned a D-number upon registration with the population register. The D-number is like a birth number. The system adds the number 40 to the day of month the person was born.

Based on the above it is obvious that this number allows one to identify each person by providing his or her birth date, gender, residence status and so forth.

When did it happen?

The CDs where sent out during summer already. Why Norwegian authorities did not inform the public about this disaster until the media went public remains a mistery.

Nevertheless, this privacy blooper indicates that transparency is not working very well when it comes to privacy and data protection. The agency did not inform anybody about its mistake and refused to go public until the media wrorte about it.

What about responsbility and accountability – was ignored it seems.

Some cases of identity theft likely

Norwegian tax authorities, stressed that the documents containing the tax records and personal identification numbers could only be opened by using a secret code that took 30 spaces to enter during login to attain data access on the CD rom.

Nevertheless, a few editorial teams had gotten hold of this secret code that was available for a few days only, thereby getting access to the personal identification numbers.

Much data is available alread and has been used by some people. In turn, we expect a surge in identity theft cases in Norway in the next few months. Just because somebody forgot to check the CD’s before they left the store…. a 5 minute task, unbelievable but such things happen…

My take on this story

Once again, the case shows why using large schemes and databases as required for national electronic ID cards, tax records or biometric passports:

- puts people’s privacy at risk,

- increases the likelihood for a substantial surge in the number of cases of identity fraud compared to today AND

- the complexity of such huge databases makes their adqueate protection to assure data confidentiality and integrity a nearly unsurmountable challenge.

Similar to Britain’s cases mentioed at the beginning of this story, human error and lack of quality control are the root of this disaster. How Norway’s tax authority can make such a huge mistake whilst having best practice procedures regarding quality control measures in place is unclear. Actually, nobody checked the CD’s before the left the office, just unacceptable.

Viewing what is on the CD would have revealed the mistake, thereby allowing the destroying of these CDs and pressing new ones to be mailed to the media.

Is this too much to ask for?
As well, the tax authorities have so far been unable to explain how and why such a stupid mistake happened. What does the government intend to do to keep the likelihood of a similar case happening in the near future low? Endangering Norwegians privacy and increasing their risk for identity is one thing. Keeping silent about what went wrong (we failed to check, why), what will be done to avoid this in the future and so forth is irresponsible.
Regulation

NO – Act of 14 April 2000 No. 31 relating to the processing of personal data (Personal Data Act) (17 pages) [Online] (Available: http://www.datatilsynet.no/upload/Dokumenter/regelverk/lov_forskrift/lov-20000414-031-eng.pdf Last Access: September 19, 2008)

The purpose of the Act of 14 April 2000 No. 31 relating to the processing of personal data (Personal Data Act) is to protect natural persons from violation of their right to privacy through the processing of personal data. The Act shall help to ensure that personal data are processed in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and private life and ensure that personal data are of adequate quality. This Act transposes the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data into Norwegian law.

Norway’s Personal Privacy Commission has a December 8, 2008 deadline for “delivering a comprehensive status report outlining the challenges facing the protection of personal privacy” to the Storting (Parliament).

How prominently this latest privacy blooper involving all tax records will feature in this report is everybody’s guess. Nevertheless, this incident indicates that besides technical risks, human error tends to exacerbate threats regarding personal privacy and the risk for identity theft.